feat(900100): adding a new score - danger#4439
Closed
touchweb-vincent wants to merge 1 commit into
Closed
Conversation
|
+1 |
Contributor
|
Just saying: it's a non-critical issue, but now you put a non-used variable into the rule set. See the linter's output. |
Contributor
Author
|
Yes, I’m aware that there will be some implications of this kind. I’m just taking the temperature to see whether this is a no-go or an acceptable idea. |
Member
|
@touchweb-vincent I would like to see more of this into ISSUES, and not PRs. The discussion can be followed better, and AFTER there is a decision, you can come with the implementation. 🙏 |
Contributor
Author
Member
|
Per Monthly chat, we will review this in the future if it still makes sense. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed changes
Hello,
As you know, many deployments do not follow OWASP CRS recommendations, namely blocking at a score of 5. As a result, it is common to encounter integrations where the blocking threshold is set much higher, often around 25 points.
We all know that some rules are particularly critical and have no false positives, or only extremely rare ones.
I therefore propose introducing a new score : danger_anomaly_score, which would increase the anomaly score by 25 points, in order to maximize the likelihood that these rules are still triggered even when the blocking threshold is set excessively high.
Some of you will probably reply that this is a dog chasing its own tail, and that questionable integrators will simply adapt by increasing the blocking threshold even further.
I agree with this point.
However, I believe that if this new score is used very sparingly, it can still help improve the security of projects relying on OWASP CRS. At the very least, it sends a clear signal that the rule captures inherently dangerous inputs, with no observed false positives or extremely rare legitimate use cases, which must be mitigated on a case-by-case basis.
For those who will reply that “all rules with a critical anomaly score” are “dangerous”, I also agree with you.
However, we all know that some of them are difficult - if not very difficult - to safely enable in production in certain contexts, particularly in e-commerce environments.
Here are a few examples of rules that could fall under this new score:
If you agree with this approach, I can work on a more exhaustive list based on our field experience and feedback.
What do you think ?
Thanks, for your time.
PR Checklist
commentfield to write the expected behaviorFurther comments
For the reviewer
ctl:requestBodyAccess=Offwere used in the rule